Windows Authentication on iis new website not working (fine on default website)

Windows Authentication on iis new website not working (fine on default website)

am 01.02.2006 18:15:46 von pdbaker

I'd be really grateful for some help on this one...I'm really not a
security whiz though so please don't baffle me :o)

Trying to move the contents on the default website onto a new website
on the same IIS server but using a different port number (81 instead of
80).

Scenario:

Full IIS (on 2003 server) running on a domain network.

Created a new website (IIS --> Add website), in addition to the default
web site.

Both default and new site set to use windows authentication. Copied the
wwwroot folder inside inetpub and renamed to projectroot (left it in
inetpub). Copied all the ntfs permissions across to the projectroot
folder. default website home directory is still wwwroot. new website
home directory is projectroot.

Accessing both sites (pmsweb01:80 and pmsweb01:81) from the local
server itself works fine (integrated authentication ok).

But from elsewhere on the network, the new site (pmsweb01:81) is met
with an authentication challenge. Entering a valid username and
password into this challenge is rejected.

I've ruled out the following:

Not the different port number - changed default website to run on port
82 and no problem.

Not the ntfs permissions on the folder - changed the home directory of
default website to point to projectroot and it works fine.

Got baffled by all the kerebos/ntlm authentication stuff, found a page
on Microsoft suggesting I force IIS to use ntlm
authentication...followed the suggestions to edit the iis metabase but
found that authenticationproviders already set to NTLM
(see
http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx)

Found a suggestion that it might be to do with Server 2003 SP1 and
LoopBack checking so disabled that...no good.
(see http://support.microsoft.com/?kbid=896861)

Any thoughts/suggestions very gratefully received.

RE: Windows Authentication on iis new website not working (fine on def

am 01.02.2006 22:33:31 von NickClark

If you're being met with an authentication window then it's definitely IIS
and nothing else. Port numbers have nothing with authentication - just where
the web request is sent/picked up. File level security would give you the
access denied or ACL error if those were not right.

Is the server a MS or a SA server? Do users have the proper access
permissions/rights to that machine your web runs on? There's some variables
here!

Something somewhere isn't right with the web site's own
authentication/directory security settings. If authentication baffles you
then you're in for the long haul. Understanding that will keep you from
allow malicious activity on your site(s). Dig thru the following to
troubleshoot the auth issue.

http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/f66f23a1-e2ec-4c7b-8023-159f4f7991cc.mspx

http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/993a8a36-5761-448f-889e-9ae58d072c09.mspx

http://www.iisfaq.com/

http://www.iisanswers.com/

"pdbaker@perse.co.uk" wrote:

> I'd be really grateful for some help on this one...I'm really not a
> security whiz though so please don't baffle me :o)
>
> Trying to move the contents on the default website onto a new website
> on the same IIS server but using a different port number (81 instead of
> 80).
>
> Scenario:
>
> Full IIS (on 2003 server) running on a domain network.
>
> Created a new website (IIS --> Add website), in addition to the default
> web site.
>
> Both default and new site set to use windows authentication. Copied the
> wwwroot folder inside inetpub and renamed to projectroot (left it in
> inetpub). Copied all the ntfs permissions across to the projectroot
> folder. default website home directory is still wwwroot. new website
> home directory is projectroot.
>
> Accessing both sites (pmsweb01:80 and pmsweb01:81) from the local
> server itself works fine (integrated authentication ok).
>
> But from elsewhere on the network, the new site (pmsweb01:81) is met
> with an authentication challenge. Entering a valid username and
> password into this challenge is rejected.
>
> I've ruled out the following:
>
> Not the different port number - changed default website to run on port
> 82 and no problem.
>
> Not the ntfs permissions on the folder - changed the home directory of
> default website to point to projectroot and it works fine.
>
> Got baffled by all the kerebos/ntlm authentication stuff, found a page
> on Microsoft suggesting I force IIS to use ntlm
> authentication...followed the suggestions to edit the iis metabase but
> found that authenticationproviders already set to NTLM
> (see
> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx)
>
> Found a suggestion that it might be to do with Server 2003 SP1 and
> LoopBack checking so disabled that...no good.
> (see http://support.microsoft.com/?kbid=896861)
>
> Any thoughts/suggestions very gratefully received.
>
>

RE: Windows Authentication on iis new website not working (fine on

am 09.03.2006 11:56:34 von LaurentBertin

Got something which looks like the same...

if your not with SP1 maybe is this article usefull
http://support.microsoft.com/?scid=kb;en-us;832911&spid=2097 &sid=global

in my case if i try using Domain\user (normally it shouldn't be prompted...)
it will always fail; if i try user@domain making it multiple times it
sometimes passes. (multiple refresh and alway writing exactly same values
for user/pass)

"Nick Clark" wrote:

> If you're being met with an authentication window then it's definitely IIS
> and nothing else. Port numbers have nothing with authentication - just where
> the web request is sent/picked up. File level security would give you the
> access denied or ACL error if those were not right.
>
> Is the server a MS or a SA server? Do users have the proper access
> permissions/rights to that machine your web runs on? There's some variables
> here!
>
> Something somewhere isn't right with the web site's own
> authentication/directory security settings. If authentication baffles you
> then you're in for the long haul. Understanding that will keep you from
> allow malicious activity on your site(s). Dig thru the following to
> troubleshoot the auth issue.
>
> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/f66f23a1-e2ec-4c7b-8023-159f4f7991cc.mspx
>
> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/993a8a36-5761-448f-889e-9ae58d072c09.mspx
>
> http://www.iisfaq.com/
>
> http://www.iisanswers.com/
>
> "pdbaker@perse.co.uk" wrote:
>
> > I'd be really grateful for some help on this one...I'm really not a
> > security whiz though so please don't baffle me :o)
> >
> > Trying to move the contents on the default website onto a new website
> > on the same IIS server but using a different port number (81 instead of
> > 80).
> >
> > Scenario:
> >
> > Full IIS (on 2003 server) running on a domain network.
> >
> > Created a new website (IIS --> Add website), in addition to the default
> > web site.
> >
> > Both default and new site set to use windows authentication. Copied the
> > wwwroot folder inside inetpub and renamed to projectroot (left it in
> > inetpub). Copied all the ntfs permissions across to the projectroot
> > folder. default website home directory is still wwwroot. new website
> > home directory is projectroot.
> >
> > Accessing both sites (pmsweb01:80 and pmsweb01:81) from the local
> > server itself works fine (integrated authentication ok).
> >
> > But from elsewhere on the network, the new site (pmsweb01:81) is met
> > with an authentication challenge. Entering a valid username and
> > password into this challenge is rejected.
> >
> > I've ruled out the following:
> >
> > Not the different port number - changed default website to run on port
> > 82 and no problem.
> >
> > Not the ntfs permissions on the folder - changed the home directory of
> > default website to point to projectroot and it works fine.
> >
> > Got baffled by all the kerebos/ntlm authentication stuff, found a page
> > on Microsoft suggesting I force IIS to use ntlm
> > authentication...followed the suggestions to edit the iis metabase but
> > found that authenticationproviders already set to NTLM
> > (see
> > http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx)
> >
> > Found a suggestion that it might be to do with Server 2003 SP1 and
> > LoopBack checking so disabled that...no good.
> > (see http://support.microsoft.com/?kbid=896861)
> >
> > Any thoughts/suggestions very gratefully received.
> >
> >